Looking at Good Application Security – It’s Not Just about Penetration Testing

(An updated article from article Tek-Tips, originally published in 2010: http://tek-tips.nethawk.net/looking-at-what-makes-good-application-security-knowledge/)

In 2013, there is still a growing reliance on penetration testing to identify all the flaws in the security of systems and applications. This is a flawed approach. While penetration testing is important and we believe a must-do for all new systems and applications being rolled out, if this is all you are doing, you really need to assess your whole security framework and systems development lifecycle. Penetration testing is just an assurance assessment – just one component of how an application should be reviewed/audited/tested by companies. Continue reading

Security audit for commercial sites

An interesting note found in a recent online security report has stated that malicious programmers have begun to target specific social websites for drive-by infections.

While in the past scammers would set up their own pages and attempt to drive traffic to them to gain control over a victim’s machine or network, there has been a shift in recent years towards compromising legitimate URLs.

According to the Malicious Code Trends section in Symantec’s Internet Security Threat Report 2011 – published back in April 2012 – approximately 61 per cent of all sites listed as containing shadowy programs are “actually regular web sites that have been compromised and infected with malicious code”.

The top five sites for these kinds of attacks are blogs, personal sites, business or economics pages, online shopping venues and educational references.

It could be that the largest of these – the blogs and personal communications sector at 19.8 per cent – are the least well defended because they tend to be utilised by their owners as a communications platform and journal rather than a money-making enterprise.

This theory seems to be backed up by the fact that the second-largest proportion of legitimate sites infected with malware is personal hosting services on 15.6 per cent – a result that seems to follow a noticeable trend.

It could be that the activities the pages are meant to support have a direct effect on the amount of effort that is put into ensuring their safety for visitors.

People who are in charge of commercial sites and sales channels – ten per cent and seven per cent respectively – are more experienced with controlling how their back end is accessed and how to defend against malicious activities.

The difference is that – while it is in everyone’s best interests to protect repeat visitors to online venues – commercial concerns simply have more to lose by allowing their customers and clients to suffer from their lack of in-depth vulnerability management schedules.

That being said, the fact is that 17 per cent of legitimate sites infected with malware belong to enterprises that either trade goods and services or relay economic and financial information to their customers.

This means that every incident of infection has the potential to disrupt their flow of income – be it from advertising revenue or customer transactions.

Patching routines examined by penetration testing services

Fake software updates have been identified as being pushed through free Wi-Fi in cafes and hotels – prompting security professionals to warn travellers to keep their software up to date before they head abroad.

An alert was issued by the Internet Crime Complaint Center on May 5 that said recent intelligence operations by the Federal Bureau of Intelligence (FBI) has uncovered malicious applications being spread through wireless connections in a range of hospitality venues.

According to the report, travellers attempting to access these Wi-Fi points have encountered a pop-up window that seems to be guiding them to update “a widely used software product”.

“The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available,” said the report.

On clicking the button to accept this ‘upgrade’, malicious programs would be downloaded and installed that could compromise the device’s integrity.

The report states: “The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection.”

While regular audits and upgrades can help to make a difference in defending digital assets from outside intrusion, a penetration testing service can provide the insight and training they need to instil security-conscious behaviour in all travelling staff members.

Cyber attacks can have devastating healthcare consequences

An increased uptake in wireless technology has left some medical facilities – and their patients – exposed to new security vulnerabilities.

A new US report prepared by the National Cybersecurity and Communications Integration Center reveals that wireless medical devices (MDs) – which are connected to information technology (IT) networks – are creating new opportunities in this field, but are not without their risks.

Healthcare and public health organisations have much to gain from emerging wireless technology that allows for remote access – benefiting from enhanced operations, improved ease of use and rapid computing speed.

However, the report asserted, “the communications security of MDs to protect against theft of medical information and malicious intrusion is now becoming a major concern”.

Vulnerabilities in such wireless systems could have a number of dangerous consequences – ranging from vandalism, device reprogramming or even the loss or theft of sensitive medical information, which can compromise patients’ personal privacy and can result in identity theft.

Often, according to the report, these vulnerabilities can arise through poor security practices, misconfigured networks or errors made during the implementation or deployment of new technologies.

These can also occur through the increasing uptake of mobile devices and wireless networks.

Sometimes, these technologies are so new that IT departments are unaware of how to adequately secure them or keep up with changing trends. Others fail to install the adequate updated to these systems, which can open them up to further risks later down the line.

Penetration testing is one strategy that can be used to identify these risks and can help businesses of all types – including healthcare organisations – stay on top of any potential operational weaknesses.

This type of testing can not only alert you to any potential security issues that could affect your business, but also the consequences – both operational and financial – of a malicious attack.

Gartner reports on changing mobile trends

With a rising number of businesspeople encouraged to use their own mobile devices – rather than company-owned phones – for work, mobile security is becoming an increasingly important consideration.

According to new research from Gartner, IT developers need to take a more proactive approach to mobile security – and rather than a single-standard solution, developers may wish to instead consider “managed diversity”.

This term refers to flexible strategies for managing a range of mobile devices – including those that are owned by individuals and the business.

“This is the only approach that helps IT leaders maintain control over mobility, and supports bring-your-own-device programs,” said Gartner research director Terrence Cosgrove

He explained that an effective mobile device management (MDM) strategy hinges on the ability of operations and security teams to co-ordinate effectively.

Specific mobile security measures must be taken to ensure that devices are configured to match company policy, Gartner suggests, noting that many corporate policies call for devices to be password-protected , or for the ability for sensitive information to be wiped in the event of a security breach.

Cosgrove explained: “Because of the complexity of the mobile device landscape, there must be a person or group responsible for monitoring this landscape and for understanding users’ demands for new types of device and the impact that new platforms have on applications.”

He added that security professionals and the monitoring individual or group need to meet on a regular basis to address any changes in the technological landscape – and to assess their impact on the security of an organisation.

Adopting a managed diversity strategy can help companies keep costs down in the long run, Gartner noted, particularly when it comes to user productivity.

Having support from the IT department is crucial when it comes to security, the research body added, as otherwise users may attempt to circumvent IT standards – and therefore increase the risk of noncompliance costs.

If I had a Dollar – penetration testing and security myths from Steve Darrall, Securus Global Practice Manager

If I had a dollar…..part 1 of (well, who knows?)

This post will be the first in a series from Securus Global where we dispel a few information security myths that we hear on an all too regular basis to the point that if we were paid every time we heard them we’d be sunning ourselves on a quiet pacific island. 🙂

No doubt, you’ve heard most of these yourselves and may wonder if you’re alone. You’re not.

So without further ado, here’s our first installment…

Once security testing is complete, we’ll put it into production”. This isn’t the best of project management approaches to take from our experience. Any project should allow time for remediation and retesting activities to take place. Security testing shouldn’t be seen as a tick in the box on your project schedule. Continue reading

Australian government looking for a security vote

The Australian government is considering its options in relation to the communications monitoring powers held by the Australian Security Intelligence Organisation (ASIO).

In particular, the federal body is reviewing public sentiment on a number of proposals that could force internet service providers (ISP) to retain user details for up to two years. However, it has been decided that the data retention scheme will be put forward for public debate before it is entered into legislation. According to Chris Owen – spokesman for the federal attorney-general Nicola Roxon – a review will be held by a parliamentary joint committee to determine how the laws will be put into effect.Mr Owen told SC Magazine on May 4: “We haven’t drafted legislation yet and we are seeking a wide view of opinion before we consider the reforms in detail.

“This move is being made nearly two years after discussions between intelligence authorities and ISPs regarding data retention, vulnerability management and the use of federal warrants.Current plans will see the number of agencies that are able to access potentially sensitive user information reduced over time.However, greater information-sharing protocols will see more exchanged between authorities more freely than in previous years – enabling the use of a single warrant to be used across multiple organisations.



Conficker worm threat spread by basic password failure

A recent report by software leader Microsoft has found that the threat posed by the Conficker worm has continued to grow in 2012.The Security Intelligence Report volume 12 issued by the Trustworthy Computing division shows that the malware has been detected over 220 million times in the past two years.This is especially troubling for enterprises, as the Conficker worm has been noted to make use of common or weak administrative passwords to gain access to a system where it can begin to infect every machine on a network.The malware carries with it a set of hard-coded examples of simple codes and terms – including ‘admin’, ‘12345’, ‘coffee’ and ‘password’.Perhaps the most tragic side to the botnet dilemma is that it could be avoided with the use of a basic security audit, according to the head of Microsoft’s Trustworthy Computing division Tim Rains, who said that many organisations “are running on weak passwords” and failing to patch their systems regularly.”Conficker is one of the biggest security problems we face, yet it is well within our power to defend against,” asserted Mr Rains.”It is critically important that organisations focus on the security fundamentals to help protect against the most common threats

Google raises cash bounty for vulnerability management bugs

Google has demonstrated its ongoing commitment to protecting its information assets by raising the cash bounty it pays for security gaps found by intrepid ethical hackers.The search giant has scaled up the maximum amount paid for exposed vulnerabilities to from around $3,000 to $20,000.Researchers and ethical hacking specialists who are able to spot exploits that could be used by malicious parties to potentially gain access to sensitive information.

According to Adam Mein and Michal Zalewski of Google’s Security Team, the Vulnerability Reward Program “has made Google users safer”.The Google staffers wrote: “This collaboration with the security research community has far surpassed our expectations – we have received over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired.”To reflect the targeted nature of the program, the search giant is now offering $20,000 for the identification of vulnerabilities that could allow for code execution on Google’s production system as well as payments of $10,000 for SQL injection and authentication gaps.

While not every enterprise can offer the same sort of cash bounty, regular security audits can go a long way to protecting proprietary information assets from malicious activity

Cautious IT behaviour highlighted in 2012

A new survey from Gartner has shown that 2012 may be set to become the year of cautious IT behaviour, as companies face economically turbulent market conditions. For many chief executive officers (CEO), the uncertain financial situation presented by their competitors and stakeholders presents a powerful argument towards investing in new developments.

Gartner’s survey of over 220 CEOs published on April 16 found that – while fiscal responsibility and cost control had grown in priority – IT investment was to grow over the remainder of the year. Vice president at Gartner Jorge Lopez explained that the drive to produce additional value from technology investment was “comparatively healthy”.Mr Lopez asserted: “The newer trends, such as mobile and cloud, are rising to the foreground of CEOs attention.”However, CRM remains CEOs’ favourite IT capability because marketing is a never-ending competitive quest for customer retention.”While the value generated from effective use of data mining and long-term relationship management activities, due diligence demands that the level of online security needs to reflect the value represented by the material kept on hand.Ideally, vulnerability management measures should be an integral part of the planning process – with the costs and benefits factored into additional IT project planning.